Access Levels and Ownership (Example)
The following sections provide some insight into how the ACL checks work. Suppose there are two organizations, Main Organization and Second Organization. The Main Organization contains the Main Business Unit, Second Organization contains Second Business Unit. Child Business Unit is a subordinate of Second Business Unit. Additionally, the following users have been created:
User |
Created in Organization |
Created in Business Unit |
Assigned to |
---|---|---|---|
John |
Main Organization |
Main Business Unit |
|
Mary |
Main Organization |
Main Business Unit |
|
Mike |
Second Organization |
Child Business Unit |
|
Robert |
Second Organization |
Second Business Unit |
|
Mark |
Second Organization |
Second Business Unit |
User Ownership
Imagine that each user created two accounts (one in Main Organization and one in Second Organization):
Created by |
Main Organization |
Second Organization |
---|---|---|
John |
Account A |
Account E |
Mary |
Account B |
Account F |
Mike |
Account G |
Account C |
Robert |
Account H |
Account D |
Mark |
Account I |
Account J |
The users can now access the accounts depending on the organization context they login into as described below:
John
Access Level |
Main Organization |
Second Organization |
---|---|---|
User |
|
|
Business Unit |
|
|
Division |
|
|
Organization |
|
|
Mary
Access Level |
Main Organization |
Second Organization |
---|---|---|
User |
|
|
Business Unit |
|
|
Division |
|
|
Organization |
|
|
Mike
The user Mike cannot log in to the Main Organization.
Access Level |
Second Organization |
---|---|
User |
|
Business Unit |
|
Division |
|
Organization |
|
Robert
Access Level |
Main Organization |
Second Organization |
---|---|---|
User |
|
|
Business Unit |
|
|
Division |
|
|
Organization |
|
|
Mark
The user Mark cannot log in to the Main Organization.
Access Level |
Second Organization |
---|---|
User |
|
Business Unit |
|
Division |
|
Organization |
|
Business Unit Ownership
When the ownership type is “Business Unit”, access cannot be granted on the user level. The minimum access level is the Business Unit level.
Imagine that the following data has been created:
Account |
Organization |
Business Unit |
---|---|---|
Account A |
Main Organization |
Business Unit A |
Account B |
Main Organization |
Business Unit A |
Account C |
Second Organization |
Business Unit C |
Account D |
Second Organization |
Business Unit B |
Account E |
Second Organization |
Business Unit B |
The users can now access the accounts as described below:
John
Access Level |
Main Organization |
Second Organization |
---|---|---|
Business Unit |
|
|
Division |
|
|
Organization |
|
|
Mary
Access Level |
Main Organization |
Second Organization |
---|---|---|
Business Unit |
|
|
Division |
|
|
Organization |
|
|
Mike
The user Mark cannot log in to the Main Organization.
Access Level |
Second Organization |
---|---|
User |
|
Business Unit |
|
Division |
|
Organization |
|
Robert
Access Level |
Main Organization |
Second Organization |
---|---|---|
Business Unit |
|
|
Division |
|
|
Organization |
|
|
Mark
The user Mark cannot log in to the Main Organization.
Access Level |
Second Organization |
---|---|
User |
|
Business Unit |
|
Division |
|
Organization |
|
Organization Ownership
When the ownership type is “Organization”, access cannot be granted on the user, business, or division levels. The minimum access level is the Organization level.
Imagine that the following data has been created:
Account |
Organization |
---|---|
Account A |
Main Organization |
Account B |
Main Organization |
Account C |
Second Organization |
Account D |
Second Organization |
Account E |
Second Organization |
The users can now access the accounts as described below:
John, Mary, Robert
Access Level |
Main Organization |
Second Organization |
---|---|---|
Organization |
|
|
Mike, Mark
The users cannot log in to the Main Organization.
Access Level |
Second Organization |
---|---|
Organization |
|